postinst script to allow keylime_agent to run as non-root not getting run during debian install #968
Description
Hello,
I'm new to keylime so forgive me if I'm missing something obvious or already covered. I believe I discovered a bug in the installation of keylime-agent on Debian 12:
When installing the rust agent on Debian 12 according to these instructions, I was unable to start the agent, or it would start but stop quickly/after a timeout and files in /var/lib/keylime (like agent_data.json and the 2 cert files) weren't created. I narrowed it down to the keylime user and associated changes not being created/applied and then discovered this post-installation script.
After manually completing the steps in the script, the agent starts (I still get an error because I don't have any other keylime components installed yet (like the registrar), but that's a different issue, I think (see journactl output below). Please confirm:
Mar 30 13:40:15 seaurchin nslcd[1574]: [e4ccaf] <authz="ooboyle"> no available LDAP server found: Server is unavailable: Transport endpoint is not connected
Mar 30 13:40:15 seaurchin sudo[8328]: pam_ldap(sudo:account): error reading from nslcd: Connection reset by peer
Mar 30 13:40:16 seaurchin keylime_agent[8327]: INFO keylime_agent > Loaded old AK key from /var/lib/keylime/agent_data.json
Mar 30 13:40:16 seaurchin keylime_agent[8327]: INFO keylime_agent > Agent UUID: d432fbb3-d2f1-4a97-9ef7-75bd81c00000
Mar 30 13:40:16 seaurchin keylime_agent[8327]: WARN keylime::crypto > Could not load certs from /var/lib/keylime/cv_ca/cacert.crt: failed to read
Mar 30 13:40:16 seaurchin keylime_agent[8327]: INFO keylime::registrar_client > Requesting registrar API version to http://127.0.0.1:8890/version
Mar 30 13:40:16 seaurchin keylime_agent[8327]: Error: RegistrarClientBuilder(Reqwest(reqwest::Error { kind: Request, url: "http://127.0.0.1:8890/version", source: hyper_util::client::legacy::Error(Connect, Connect, ConnectError("tcp connect error", Os { code: 111, kind: ConnectionRefused, message: "Connection refused" })) }))
Mar 30 13:40:16 seaurchin systemd[1]: keylime_agent.service: Main process exited, code=exited, status=1/FAILURE
The cargo-deb creation seems to run fine. But when I install the .deb package it outputs, I get the following error:
Could not execute systemctl: at /usr/bin/deb-systemd-invoke line 148.
which points to this line in /usr/bin/deb-systemd-invoke:
if (@start_units) {
system('systemctl', '--quiet', @instance_args, $action, @start_units) == 0 or die("Could not execute systemctl: $!");
}
I'm not sure what that line is supposed to do, but perhaps its related to the postinst script not running.
Could someone please:
a) confirm this is a bug and the approved workaround (if it's user error, please point me in the right direction)
b) confirm that the errors in the above journalctl logs will go away once I have a registrar installed
Thanks,
Oliver